dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity
configpolicy/roles/sudo/tasks/main.yml

77 lines
1.9 KiB
YAML
Raw Blame History

- name: ensure sudo packages are installed
package:
name: '{{ sudo_packages|reject("eq", "") }}'
state: present
tags:
- install
- name: ensure sudo group exists
group:
name=sudo
state=present
- name: ensure admin users members of sudo group
user:
name={{ item }}
groups=sudo
append=yes
with_items: '{{ admin_users }}'
- name: ensure members of sudo group can use sudo
copy:
src: sudo.sudoers
dest: /etc/sudoers.d/10_sudo
mode: '0440'
validate: visudo -cf %s
- name: ensure legacy sudo group configuration is removed
file:
path=/etc/sudoers.d/sudo
state=absent
- name: ensure pam is configured for sudo
template:
src: sudo.pam.conf
dest: /etc/pam.d/sudo
mode: u=rw,go=r
owner: root
group: root
tags:
- pam-ssh-agent
- name: ensure sudo authorized ssh_keys are configured
copy:
dest: /etc/security/sudo.authorized_keys
content: '{{ sudo_authorized_ssh_keys }}'
mode: u=rw,go=r
owner: root
group: root
when: sudo_use_pam_ssh_agent
tags:
- pam-ssh-agent
- pam-ssh-agent-keys
- name: ensure sudo authorized ssh_keys are not configured
file:
path: /etc/security/sudo.sshkeys
state: absent
when: not sudo_use_pam_ssh_agent
tags:
- pam-ssh-agent
- pam-ssh-agent-keys
# Upstream documentation says this is only required for "old" versions
# of sudo, however without it, SSH key authentication always fails. I
# suspect it is only unnecessary when users originally authenticated to
# the SSH daemon using a public key, but required for other forms of
# authentication, such as GSSAPI.
- name: ensure sudo is configured for pam_ssh_agent_auth
copy:
dest: /etc/sudoers.d/ssh-auth-sock
content: |+
{% if sudo_use_pam_ssh_agent %}
Defaults env_keep += "SSH_AUTH_SOCK"
{% endif %}
mode: u=rw,g=r,o=
owner: root
group: root
validate: visudo -cf %s
tags:
- pam-ssh-agent
Reference in New Issue View Git Blame Copy Permalink